September 2025 Panel - VIDEO EDIT === Paige: [00:00:00] Welcome back to Pod Rocket, a web development podcast brought to you by Log Rocket. Log. Rocket provides AI first session, replay, and analytics, which surface the UX and technical issues impacting user experiences. Start understanding where your users are struggling by trying it for free@logrocket.com. Hey everybody. I am your host today, Paige Ne Greenhouse, and I am a staff software engineer at Blues and co-host of the Weekly Front End Fire Web development podcast. And we're back with another panel episode for this month where we'll be talking about web content control, tech, antitrust cases, web security, and AI mandates at work. before we get into it, let's welcome back our panelist members. We have Paul Mikulski's, a Pod Rocket host and YouTuber. Paul: Hey Paige, happy to be here and talk about all the spicy things we always talk about. Paige: Oh yeah. And Noel Mincha a log rocket developer. Noel: Yeah. Yeah. Hey Paige. I think this will be a good one. I'm excited to jump in. Paige: I think so too. So we have a lot of [00:01:00] interesting Yeah. Spicy topics for today. So let's, let's get into it. So the first thing that we're gonna talk about is platform standards and control of the web. And we touched on this in last month's episode, if you listened to it, where perplexity is getting into some hot water because it may or may not be actually. Uh, following the rules as, as opposed to crawling, uh, different websites content. So, to give you a little bit more background, uh, there is a, a standards organization called the IETF, and it is actively debating how robots TXT files should evolve for the age of ai. Proposals like AI preferences aim to give site owners more control over whether the AI crawlers can use their content. While there are new licensing standards like RSL, really simple licensing, which suggest embedding terms and royalty structures directly into site metadata, of course the big tech companies are pushing back warning about data [00:02:00] fragmentation and enforcement challenges. Then other, in other news that is related, uh, the browser company, which is the maker of the ARC browser and now the Dia ai browser have announced that they've been acquired by Atlassian, that they, one of the biggest tech companies around. And the acquisition kind of highlights how even the small indie browser projects are ended up folded into larger platforms, which raises questions about innovation, independence, and platform consolidation. So. Before we talk about DIA and Atlassian, let's talk a little bit about the AI training in your guys' opinion, should the default be opt-in or opt out for the AI training crawlers. Noel: Ooh, Paul: It's already opt out. I, I don't have to opt in now. Google just takes it anyway. Noel: who, who knows again, and I, I do want to like, draw the distinction between like, agent, like real [00:03:00] time fetching, data retrieval, and like autonomous crawling for model training. 'cause those still feel very different to me. I do think we need signals to indicate that, um, like a, a work is. Protected by some legal, like, you know, like this is, this is copyrighted non for use ~and like all, like all that kind of thing. Like, I think that needs to be signaled somewhere. And I, I wish, I guess~ I wish that these ~like the, the, the.~ Regulatory bodies. Were approaching it more from that angle because I think that the tooling is still so hard. Like it's, it's hard to know exactly like what a brow, like what is a browser like? Like we don't, like, like that's gonna keep changing over the coming months. So it's hard for me to answer a question like, should the default be opt-in or opt out? 'cause it's, well it probably depends on exact exactly what, like, we mean when we say AI crawler. Like, like that seems very broad. Paul: And I guess a lot of the stuff you would think is a live crawl to play devil's advocate here, Noel, you could run that as an ELT when you crawl ~and~ and have all the information [00:04:00] anyways, so it real I, I'll hop on the, it depends. Bandwagon as well, like. And it, and it also like, what is a fingerprint? Like what is a piece of copyright a, a watermark? Um, I think we're del we're stepping into a very fuzzy time of what is that? Because a, a watermark is realistically just, or, or some fingerprint. It's a heuristic of identity. It's a heuristic to help us achieve this vision of identity. And we're getting to the point now where it's like, it's so fine grain into how something's different. Can you put a patent through? It really has to be like different. So the, the fidelity of what is something, what is its fingerprint, it's just a thing itself. Like you're f fingerprinting music. The, the talk of the town now is, well, the fingerprint is the song that's the best we can get. So I don't, I don't know how they really wanna, um, make a separate subsection of licensable traceable fingerprints and, and, and do that 'cause it feels like a dead end a little bit. Paige: I mean the genie's kind of out of the bottle at this point. [00:05:00] Everything that has been available on the web up till this point has pretty much been crawled, if it can be. So it seems, it almost seems like it's a moot point at this point to have opt-in or opt out for training because. Crawl the majority of it. Paul: Getting paid for that is a different conversation. Like there can be royalties associated with activity around it, but yeah, the cat's outta the bag, the genie's outta the bottle. What can you do? Paige: Yeah. I mean, because we've talked before about like the robots txt. Those are. I don't think that those are really enforceable. I think that the big tech companies who have abided by them are doing so basically because they need the PR to be good around them, like Google or Microsoft. But for the smaller up and coming AI companies, especially, I. They don't care about that. They just need to scrape as much data as they can off the web. Learn as much as they can. Make their models as good as they can. They don't care if they're being good stewards [00:06:00] or generating good pr. They need to keep, they need to keep getting investment dollars and keep going at this point. They can be good stewards later on. Noel: ~Yeah. And I think, I think they have like, it, it's,~ it's very easy for them to have plausible deniability as well. They can say like, oh, well this, the robot's, TXT was configured correctly for all these sites, but one, and like, you know, that person illegally mirrored it, but how are we supposed to know, or not even illegally, but like, didn't follow the standards on doing whatever. But like, we can't, we we're not supposed to be the stewards of the internet. Like, it's the same, the same argument that Google made historically. Right.~ Right. And ~ Paige: ~Mm-hmm. ~ Noel: ~um. It's just like, it's, it's kind of a,~ it's kind of a, a tricky one too with ~like the, the,~ the original intent of robots TXD, ~not,~ not being like a, a tool to gate, keep crawlers away from things, but like a way to functionally tell them like, Hey, this shouldn't be indexed 'cause it's meaningless to arrive at this. Right. Like, it was a tool that was meant to help inform other tools just on like how to be interacted with not to like. Bar them from doing something in particular with it that didn't really ever [00:07:00] seem like what the intent was. So I think the wires are a little bit crossed here. ~Again, I don't,~ I don't know~ if there's a strong,~ if there's any strong legal precedent for ignoring these or like doing something like that. ~Um, you know,~ outside of like what we were mentioning with like copyright and patent law, ~but. Um, I don't,~ I don't anticipate it changing,~ like, to your guys' point, like why, again, maybe,~ maybe the, like cloud flares end up coming in and continuing to trying, ~like~ continue to try to play arbiter here, but I'm not sure I wanna be in that future either. So I don't know. Paige: All right, so let's talk a little bit more about the acquisition of DIA that happened by Atlassian a couple weeks ago. I really, honestly, I did not see that one coming. You know, it seemed like DIA was gonna get bought by somebody, but it, I certainly was not expecting it to be Atlassian of all, all the companies. So, do you think that this acquisition, which Atlassian says is ostensibly to make Dia the. Work focused browser. The work focused AI browser, because Atlassian, for those who don't know, owns Jira. It owns Trello, it [00:08:00] owns Loom, it owns like SaaS tools that your company probably uses if you do web development. Do you think that it signals the end of any indie browser innovation, or do you think that there will still be these little, little browsers coming out and trying to be different or be, you know, unique in some way? Noel: No, I don't think so. ~I think it's, it's easy. Like I don't, I don't wanna say it's, ~I don't wanna make it sound like it's, um, not a lot of work to make a browser. Like browsers are very complicated pieces of software. Sophisticated maybe is a better term, sophisticated pieces of software. ~I, I don't think there'll be any, like, I dunno, I don't, I don't, this isn't like.~ I'm not worried about innovation or anything in this space, I guess. ~Um, and, you know, I, if, if anything, I think it's like, maybe like this, at least for me, like I,~ I, I find this like a little bit positive. Like I, I like the story of like, new browsers coming onto the scene and like having success in some way or another. Like anything that decentralizes, the hegemony of Chrome is like a win for me. So. Paige: Here's the thing about that. All of the new browsers that have been coming out except for Ladybird, which is its [00:09:00] own like very off in the corner building everything from Scratch idea. All these new AI browsers are built off of Chrome. They're all using Chrome under the hood. They're just bolting on different AI tools and technologies. Yeah. Perplexities, whatever theirs is called, like opera air, they're all chrome underneath. So maybe it's not the browser, or maybe it's not like Atlassian that's signaling the end of indie development. But if everybody just wants to bolt their own AI agent onto it, and, and Chrome is like the platform of choice, maybe that is signaling something dangerous to the, the rest of the world. Noel: Yeah, I mean, it probably depends on what, like what your primary fear is, right? Like if, if you don't like the, um, like, like chromium being the driver [00:10:00] here, like then that is like, I understand that. Fear and it's like, okay, well yeah, it's kind of like what you got, like Firefox and the chromium browsers then Like Paige: On Safari, Noel: Yeah, are the, are the players. Yeah. You got Strand Zari because Yeah, like edge, edge is chromium, like everything, all opera is chromium. So like, you know, not great, but like, I don't know. I, I guess I don't, I don't feel like this really has much. Weight on, like that development one way or the other. It's like people are gonna keep preaching for the tool that is, especially if their, if their goal is to like spin up a product on and make like a browser as a product. Like the easiest option is going to be to keep reaching for chromium probably. Paige: ~Yeah.~ Noel: ~Um,~ ~but. ~ Paul: Browsers have always felt very similar to like Linux Distros to me a little bit. It, it's just like there's, I like how you call it a driver. No. Like it is the central engine and 80 to 90% of how I use the machine is the distro. It's not even the curdle. Noel: Mm-hmm. Paul: It's the [00:11:00] distro. Like what does it look like? How do I interact with it? What gets pushed to me if I want it to be pushed to me or not? It's all in the distro. Noel: Yeah. Paul: kind of, I kind of am on your side of thinking here a little bit, Noel, in the regards of like, as long as Chrome is D thrown a little bit, that's always a good chip in the bucket. Um, and I definitely have a different flavor of the month. Time to time of like how I want to interact with the web and, and the companies that put out these products. And most of that is satiated from the distro level. From the, from the, from the face paint page, I guess because like, yeah, that, that's what it is. It's just face paint. Um, but it feels good. It works for me. Noel: ~Yeah, I mean, I think that there are,~ there are concerns right over like, like, um, like web entity standards, like for browsers and JavaScript and CSS and all that. And I feel like that's been a concern we've discussed as well. Or it's like if Google can just do things, it's like, oh, chromium sup and it's ilk supported. ~It's like,~ it kinda doesn't matter If the [00:12:00] rest, like they can, they can kind of just drive the standards adoption. And I, again, I think that that's, that's like the main concern. There, like at that lower level. But yeah, above that, it's like, well, if you're, if you're wanting to, like, if it's like the deification, like I don't want Google to have all this, then it's like, okay, well I don't really care if you're, you know, using chromium under the hood. ~Um, but.~ Paul: What's Lady Bird like? I actually have never downloaded or used it. is there a good outlook for like, oh, it's not ready. Okay, Paige: No, no, it's still very much in the early stages of, well, actually there may be like a, a very early beta version, but basically it's a bunch of tech people who have helped build browsers in the past and just wanna build something completely from the ground up with no, no help from any existing, you know. Browser, uh, anything? No chromium, no gecko, no, no nothing. Um, yeah, so you can search for it online and like read a little bit more about the team behind it and the things that they're doing, but it [00:13:00] just seems like such, um, an enormous task, especially in today's way of the browser, that they'll be able to recreate all of the functionality and all the APIs and all the stuff that people have come to expect, uh, from scratch. It's very ambitious. Paul: That, that sounds very ambitious there. There's like something about human nature as well as like needing certain levels of hierarchy and red tape and. Organization to make gears turn like Dao DAOs are a great idea. There's a reason they work in 0.0001% of situations. Um, having tried to start a Dao myself personally before and like, uh, as part of a team I was on, oh my gosh. It's just like the human nature of organization is a beast. I mean, it's a gargantuan task. They're gonna need gargantuan SOPs and, and ways to, ways to handle themselves. If it'd be cool if they do it. Paige: Yeah, I mean, [00:14:00] we'll, we'll definitely be keeping an eye on them. They're looking for sponsors. They want to be, you know, fully funded and not beholden to, to VCs, for instance. So they've got a lot of like, really nice high level ideas. Um, it's just the question of if they'll be able to achieve such a, a great, uh, undertaking. Noel: Do they have in the manifesto somewhere that like we will not end up receiving most of our funding from Google to keep us alive, to help us curb antitrust Paige: I think they do something or something along those lines. Yeah. Noel: Okay, good. Like I'm a Firefox user. I'm not like trying to throw too much shade, like, you know, it is what it is, but Paige: I mean, I, I still use Chrome as my daily drive for, for better or for worse. It's true. Noel: ~Yep.~ Paige: And that's actually a good, uh, a segue into our next topic, which is about all about Google. They recently, uh, got a, a ruling on their federal court case for their antitrust, uh, [00:15:00] suit that was brought against them. So they, they won, they do not have to sell off Chrome. They did not have to sell off Android. They basically. Kind of getaway scot free if you ask me in terms of like what they have to do, which is share some of their search data with other competitor browsers. Um, yeah, which I'm sure they will appeal and find a way not to do, but the decision really raises the question about how much regulators can or will reign in big tech and what that means for competition today. So. I think that the ruling does show that regulators can't keep up with it. But do you see this kind of a ruling kind of emboldening other tech giants like Microsoft, Amazon, OpenAI, et cetera, to also potentially do things that may or may not be legal, completely legal. Paul: I mean, it has to, it [00:16:00] has, yeah. It has to, I just wonder like what the, the way that'll be chewed on by those constituents. Um, it also raises the question of like, uh, what is good versus progress? Um, 'cause we all know when you have one repo versus several repos, centralization makes you go fast. I would rather have a monopoly and better technology. Than a decentralized landscape in less technology than the next guy. Um, I'm not sure if like we want to go too hard on telling Google and Microsoft to chill out at the detriment of forward progress, but I have no knowledge. I'm not an economist. I don't know how that works. Noel: ~I think it, I think it'd be hard to draw the line either way. Like, it'd be hard, it's,~ it'd be hard to even speculate, right? Like, I don't, I'm sure, I'm sure people have their guesses, but Paige: Antitrust enforcement just seems like almost like a completely lost cause because none of, none of our governments can move fast enough to keep up with the way the tech is evolving. So [00:17:00] we need something, I don't know what the answer is, but we, we need some way to kind of curb them and reign them in a little bit. I just don't exactly know how we're gonna do it. Noel: ~There's, yeah, there's like,~ there's something interesting here where it's like the economies of scale, like happen so quickly in tech, right? Like, it's like that efficiency. Like comes to fruition so quickly versus like before you you could kind of see, like, it was easier to see come in over a 10 year thing where it's like, okay, this company's getting big. Like they're this share of the market. You can see what quantity of the steel being produced is coming out of this factory or whatever by like factories owned by this entity versus like, it's so much more nebulous when you're like, users doing searches. Like, like, uh, like when, when does that become a problem? ~And like how, how much, how much more quickly does one of those entities, like~ one of those entities can be 15% more efficient? And like, ~like it's way, everyone's just like, it's, it's,~ it's trivial for everyone to switch to them as their supplier is like, I just change a preference. Right. And it's like, it's all free. It's there. [00:18:00] So I, yeah, like, we'll, see, I, I, I agree. It se it seems bleak and ~like there's kind of ~like ai, like prompting feels like particularly bad, but I mean, the search. The search space. There are pe people use other search engines like they do, um, especially~ in the tech,~ in the tech groups, ~right, in the, in these circles.~ ~Um,~ but you know, it feels like people kind of doing it out a ma of a matter of principle. So, you know, it is what it is. ~But I, I don't, I don't know if, I don't know if like mi like Microsoft probably also doesn't, um. Like~ this is probably kind of, it's weird, weird news if you're on the board of Microsoft or like a major shareholder. 'cause it's always like, okay, good, like less antitrust power. But it's also like this is a big win for Google, you know? So, I dunno. Paul: . It also, these conversations ride on the assumed truth that. There's a separation of like church and state church here being like technology, like, oh no, those are two different entities and this entity needs to have power over that entity to make sure there's not these big monopolies, blah, blah, blah. The conversations we could talk about [00:19:00] and like. Totally like I, I don't think any of us want a reality where like those are completely merged, um, because power becomes corrupted and, and way too centralized. But at the same time, it's a nuanced conversation because especially in the age of AI now we are changing how we govern ourselves as biological entities ourselves. Um, technology is changing how we govern each other. I mean, if we didn't have electricity, the stock market would. Would disappear. It wouldn't disappear, but it would become inoperable for a while. There'd be disasters as such, like we're kind of commanded in our behavior by the technology. So I think that creates extra hairy blurring of lines here where it's like some of it is just pure steel in the factory coming up, but some of it's also a be physical question of how we govern ourselves. Um, DAOs are always interesting. I always go back to like the Dao. Thing that happened like two years ago where people really tried to build actual incorporated companies [00:20:00] off of like smart contracts that, that dictated how they governed each other. And that was probably like the deepest we've seen of that metaphysical way that we arrange ourselves. Um, but yeah, like brow traffic going through a browser, like Noel said, that's just maybe how we govern ourselves. Like it's a self, it's a self steering. Thing To some degree, not to all degree. It makes it very, uh, difficult to wade through if it's a, a problem or not. Like, is this more efficient way for humans to live? I don't know if I like it, but. Paige: Yeah. I mean, one of the things that was interesting about this when this ruling finally came down is that Google stock surged 8%, so obviously the market is in favor of Google continuing to. Hold the power that it does, uh, and doesn't feel too bad about the, you know, what that means for us more generally. So, yeah. Noel: I think like [00:21:00] Apple and Microsoft both had upticks as well, right? So it's just like, which is, it's this weird thing where it's like the market seems to be more concerned. With the, the hand of the government then like the power of Google's, like competitive edge there, which is like, it's bizarre that the competitors stock, like that's, that's the optic, that's the optic That feels weird. Here is like the, you, you'd think the competitors would be like, oh, like, you know, this is a, a win. For Google, which is bad for us, but it's like, no, it's like the, the market seems to be more concerned with the, the laws themselves that then would set the precedent for what services that Microsoft owns or Facebook owns, or Netflix owns. Like that is the thing that is greater concern, again, to the market at least. So, yeah, we'll see. And again, this, this relationship is weird. Like, like what's, what's, um, Google's payment to. Apple every year to keep Chrome. The default search, like that's a big number. Um, like back to [00:22:00] my, back to my Firefox joke a second ago, like that's the, like, it's, it's crazy how like intertwined this all is. They kind of is this, there's this like weird grid of like, okay, these are our services. And it's like, I don't, I don't wanna say it's like, um. Like c collaborative or like, I'm, I'm, I'm blanking on the word. Um, but, but some kind of like back dealing, going on necessarily. Like in this case, it's just like this gridlock of like the power in these, in, in the in tech here. Um, Paige: Is collusion the word you're looking Noel: Collusion was, I don't know if it's collusion, uh, but it's just kinda like this, like, okay, you scratch, you scratch my back, I'll scratch yours, kinda kind of feeling. Paige: not really sure how that's gonna pan out in the future, but I'm sure we will have more, uh, more news about it. The not too distant future.~ The not too distant future.~ Noel: ~Yeah.~ Paige: so let's talk about something else that really, really within the last couple weeks especially, it seems like, has been cropping up again and again. And [00:23:00] that is, uh, security on the web. Noel: Mm-hmm. Paige: So I don't, I actually didn't know about this until prepping for this show, but it's been a rough month for digital security beyond NPM, which most developers are aware of. Noel: Yeah. Paige: So. PayPal confirmed a massive data breach that affected 16 million accounts, and at the same time, there was a separate glitch that froze 10 million, 10 billion euros worth of transactions across European banks. And then on the developer side, as most of us are probably aware by now, NPM has been hit by not two, but maybe even three. Back-to-back supply chain attacks within within the last couple of weeks. Uh, first there was the maintainer, the OSS maintainer, quicks. He got phished and attackers published malicious versions of widely used packages like debug and chalk all over. Um, it's funny though, because the code attempted to hijack cryptocurrency transactions. If you [00:24:00] had a wallet attached to your, your machine that you were also Noel: somewhere. Paige: Yeah. That you were also doing your web development work on. So. Noel: Mm-hmm. Paige: I saw that probably they got next to nothing for their all their work. Noel: Yeah. I think it was less than a thousand dollars. I like I know, I know. Yeah. It was not, not a ton. Yeah. Paige: Yeah. And then I, uh, days later, there was another, uh, a worm, a worm-like supply chain attack that was called Shy Ude, which was a nice dune reference where it had, um, malicious packages that included post install scripts that were harvesting secrets and exfiltrating them through rogue GitHub action workflows, and then publishing those tainted versions to over a hundred plus packages on NPM. And these included big packages. There were CrowdStrike libraries in there. Um, there was the singularity and NX compromise. It's just we just can't seem to [00:25:00] lock ourselves down. So I guess the question is, or the discussion can start off, is. What can we do to make our, our ecosystems less fragile and less susceptible to these sorts of attacks? 'cause they're just coming hard and fast lately. Noel: ~Uh, I just, uh,~ we just interviewed Ra Buca, DJ yesterday. I'm not sure on the timing of when these will be released, but he's the founder, uh, and CEO of socket. So, you know, like he was, he was talking about socket, but the big, the big thing we talked about how. The vector for all of these has been like post-install scripts. I guess for NPM specifically, it's like if the precedent wasn't to allow packages to run post-install scripts, like all of this would be so much harder. So I, I suspect the actionable thing over the next six months is there will be like changes in the defaults of how those behave. Like they'll, NPM will do something like PNPM and um, yarn and so like, there's already a precedent for being able to [00:26:00] control which packages. Can and cannot run scripts versus it being like an all or nothing. So just like the quick fun, a quick functional take is like, I think that there are way, there are things we can do here to make us like less prone to this. And I think with the amount of heat that we're seeing right now, there probably will be a change kind of at this level wherein there's like some kind of auditing layer that's like, Hey, all of a sudden this package, which has never had in sc script scripts before, is trying to run a script on your machine. Like do you want to allow that kind of thing? Um, which seems totally reasonable. Like if I have a couple packages, which I know are doing something at the OS level, it's like, okay, those can, but like why is something that's doing like text ification or something, why does that need to run a post install script? It's like, okay, probably not. Um, so that'll be big. Um. But yeah, like, I, I don't know. I think there's also this kind of precedent wherein we don't think about when installing a package, like, whatever, like you don't think about like what you're actually doing. Like if [00:27:00] that was you downloading an XE from some random website and like running it on your computer, you'd give, you'd have way more pause than any, you know, NPM install that you do. And I think there was always the thing like, oh, it's open source. Got eyes on it, but obviously there's like big enough windows in there where these things are sneaking out and people are pulling and doing updates and pushing them. And like that cadence is so fast that it's, uh, it's been enough to propagate, uh, these last couple major vectors here. Paige: ~Yeah.~ Noel: ~So, ~ Paul: without a post install script, they'll still figure it out. Um, like the line will always be moving. Um, Noel: yeah. Paul: is there so much we can do now, like you said, no. Noel: there's a back and forth for sure. I just, I, I think right now we're, it's, we're lagging like the, you know, the reality is lagging between, like, there, there's a very wide opening right now. I guess that's like, it's very, I don't wanna say easy, but it's very susceptible to these kinds of problems. So I think like, it'll close. There'll still be some. Potential to do something wrong. Maybe [00:28:00] some package that does need scripts will be one that's compromised, although there will be something else, like, who knows?~ ~ Paige: ~Do you think that,~ do you think something like uh, two-factor authentication or other stuff could be used to kind of help? Make it a little bit less or a little add a little bit more friction to the actual publishing of these malicious packages. You know, like enter your six digit authenticator key or something to just add a little bit of extra security. Do you think that would also be beneficial? Noel: ~I mean, I, I, I would assume it would help, um, potentially, I guess I'm trying, I'm trying to think in these cases like.~ Probably I, I, I, I don't know. I've never, I've never maintained like an NPM package that has this much activity. So I don't know, like if my typical, if like it would raise any alarms, like maybe I'm making changes frequently enough or like every time I update something I'm just hitting publish and just hitting. Okay. Like, and I would be easy for something to still slip through if I was the one doing it. But I mean, it would help like the self-publishing problem, right? Like that would, it would, it would help quite a bit with that. Um. [00:29:00] I don't know if, if users or developers and organizations would want to. I would think so. It seems like a pretty low, um, amount of effort, but I dunno. Yeah. Paul: If the attack vector is the person, then two FA is marginally helpful. Paige: Yeah, that's true. If you're a maintainer and you've already gotten access, or like you said, you've somehow installed some malware, that's just gonna keep propagating. It's not a lot that you can do. Paul: But it's gotta help. Paige: Mm-hmm. Noel: Mm-hmm. Paul: It's just another pebble to fill in the crack somewhere. Noel: Yeah. I mean, it removes the capacity to like do a publish from something like a worker, right? And like maybe like that. And I think that that would be, is like the big thing here. It's like there is a human step that needs to occur all the time to publish a version, which I think like a lot of these workflows intentionally we're not set's. Like we make a thing, we tag it, and it's automatically gonna publish to NBO. It's like that. Makes sense. Like that's probably how you do it. Um, [00:30:00] but yeah, maybe, maybe there's something, or maybe it's something that like NPM enforces and it's like you hit a certain size and it's like we won't let you publish with the number of polls that you've got a month without a human being involved here. Like, something like that. Paige: Do you think that there is more of this happening because of ai? Like people who might not have been able to do this before now are because they have AI agents who can kind of help them write this type of stuff? Or is it just that maybe we're getting better at catching it and it's getting publicized more widely? Like it seems like it's really ramped up in terms of scale in the last. Year or so in a way that I don't remember it ever being before, and I'm not sure why, why that is. Paul: that's a good question. I mean, hey, Noel: my, Paul: getting a thousand dollars Yeah. They used ai, they don't know what they're doing. Noel: Yeah, that's exactly, that's my thought as well. Like, it seems, it's, it's weird because like, this [00:31:00] stuff seems so sophisticated, right? Like, it's like so clever, right? It's like, oh, like the, the first one of these, um, like the, the, the attack, the attack vector was in the figured out a package would execute code. That was in PR titles. Like if you kind, it was, it was like a SQL injection, but there was a GitHub action basically that would echo out the name of the PR title that had just been opened against it. Right. So like someone would open a PR against this repo and then they would echo it for some piece of their workflow, like some piece of their automated thing for like a log or something. Someone figured out that they could like escape that and get it to execute code that was in the PR title. Right. So then like they did that, they used that to echo out keys into their own branch or like, you know, make a, make a web request. Um, and what was crazy is like that. Problem had actually already been fixed on the main branch, but you can open a PR against an old branch, right? Like in GitHub. So they opened a PR against an old branch, which still [00:32:00] had this thing in it. GitHub is still using the action as defined in that old branch, so they were still able to get the keys out. Um, so long story short like that, that seems like, like someone thought of that, like that was a very, like, someone saw, saw all the pieces and knew how to make that come together. Um. So like that, that kind of puts me in this moment, like, maybe, maybe it's not ai. But then on the other hand, it's weird that none of these have been like hugely successful, um, as, as like, as defined in dollars, right? Like if your goal is to make money, I guess it seems like, like a lot of effort and energy, um, for an attack that hasn't been super lucrative for the, you know, perpetrator. Um, so. Paige: was caught quickly after it happened. Noel: Yeah. Like maybe, I suspect like the copycats, like we're getting, we get copycats more rapidly that are like slightly tweaked versions. That's probably facilitated to some extent by ai. Um, but, you know, like, it's hard, it's [00:33:00] hard for me to speculate beyond that. Paige: I mean, yeah, it, it's not going away anytime soon. So, like we said, hopefully, uh, the people at the highest levels of. The platforms. NPMP, NPMI, I know that it's happening on Pi PI and, and Go package manager. And like all the other platforms, it's not just JavaScript, that's just the ones I'm most familiar with. Hopefully they will help introduce better, uh, better controls so that we have less of this in the future. Noel: ~Yeah.~ Paul: And we'll get some cultural changes too, like no, no. Sudden, just like I've been pinning my package versions recently, like little things like that. Just like, why didn't you do that before? It's in a moment of awareness for us all. Paige: yeah, you just trusted that the little carrot meant everything would be better when you update it to a new package. And yeah, we're doing exactly the same thing. We're pinning all of our packages reusing NPM shrink wrap, which I've never used before. Uh, Paul: used that either. Paige: yeah. Yeah. You might wanna look into it if you [00:34:00] do, if you do publish NPM packages. right. Uh, so another topic that we have is AI related, and that is the fact that a lot of companies are wanting us to use AI at work. They're encouraging it. So, for instance, the, the one that we're gonna talk about is, uh, the Coinbase CEO revealed that he had fired engineers who didn't adopt AI coding tools like copilot and cursor. Within a week. He says AI is important, not optional. And once 50% of the company's code generated by AI by the end of the quarter. So as usual, the critics are arguing that this kind of mandate hurts morale. Just like when we argue that the points don't matter if you're pointing your stories and how many points you get done in a, in a sprint, but others are saying it's just the reality of staying competitive. And in a kind of so question, do you think that companies should mandate AI tool usage as a condition of [00:35:00] employment? Should, should this be a thing? Noel: I mean, I wouldn't think so. This, this feels to me like someone mandating, they use like a certain editor or something. Like I not, not in that like editor choice maybe has as much an impact on productivity one way or the other. It just, it just feels like a weird. Thing to be, you know, drawing lines around. I guess maybe like, I'm, I'm not saying that organizations need to be like, like need to have strong stances one way or the other. Like maybe they can be like highly encouraging it, um, and it's like, well, you're not productive, you're not productive enough with our stack. Like maybe that's 'cause you're not using a, or not using ai or maybe you're using it poorly or whatever. Um, it feels weird to just say like, 50% of the code should be AI generated, like, feels like a, like, just like a very bizarre hill to die on. ~I.~ Paige: ~Yeah.~ Paul: It is also a very, uh. Non forgiving way to allow a [00:36:00] new tool to sit with people. Like it, it sure. Maybe it's efficient to getting people to do it. Just 'cause it's efficient doesn't mean it's the best thing. Like, uh, let me tell you about my new sorting algorithm. Stalin sort. It goes in O of one. You just go along the list and if something's not an order, I eliminate it. Now everything's sorted. Like, like that. It feels like that. ~Um. And, and secondary to that, like, uh, oh man. I had another point that I really wanted to throw out there in addition to the, I forget what it was. Sorry.~ Noel: ~You are good.~ Paige: ~That's okay.~ I mean, there are a couple of questions that I have about this. The first being, how are you going to know whether the code was generated by AI versus by a ai? A developer because I use a tool called Get Lens in VS Code, which just shows you each line and who wrote it so you can see, you know, it was added seven months ago. It was added by this developer in this pr, whatever. Noel: Get Paige: when I'm using. Noel: is great. Sorry. It's Paige: so when I'm using Claude code, it's still showing up as me because I'm the one who's actually committing the code and pushing it to GitHub, even though Claude wrote it, and I probably edited it a bunch before it actually [00:37:00] got pushed to GitHub. So. How are they gonna know that it was me versus it was Claude, or it was a combination of the two, which is probably the more likely scenario for a lot of this. I'm not just 'cause God, I don't trust Claude as far as I can throw it. I mean, you tell Claude to do something, you give it some other files to reference and it still goes off and well like Noel: Yeah. Does Paige: do something completely different without lots and lots of oversight. Noel: Yeah. Paige: So I just really. I really struggle to see how they're going to quantify this in the way that he is saying that they will. Paul: It also feels like a forcing function, like time and time again on whether it be my team or a team above me telling me that they need something. They'll say, okay, when do you need this? By this date, that's not possible. Too bad. We're just setting the date because it'll, like, it's a forcing function and everybody knows it's like maybe not gonna hit that date. Um. Because like the, the [00:38:00] CEO is saying that it, my, this was gonna be my immediate response. It depends on the company. Like we're privileged enough to work with people that are actively curious to learn new things every day. And like that's a completely different beast than if you have a team of like folks who are just there to like show up, do a great job 'cause that's what you hired them for, and then go do something else. And so like those people may not reach for something as quick as you would hope them, and then there's a lag. So there maybe does have to be some forcing function. But man, do, I mean, you can do it eloquently. That's possible too. Noel: ~Yeah. It just, it I get, yeah.~ It just, it just seems very, very strange. It's like, sure, if you want to, if you want to call some portion of your workforce that you deem the least productive. Sure. Like, it's just like, but why say it's the, you know. It's like the users that are least proficient in Command Line or like those that don't, like, don't know bash, or those that aren't prompting as much, just like, seems like whatever, like if you wanna pick an arbitrary metric. Sure. But, um, I. Paige: ~Do, do you think, or~ can you [00:39:00] think of any metrics that do make sense for measuring AI adoption or AI usage? Like I. I mean, I can see how much money I've spent with Claude on a daily basis, Noel: Prompts per minute. Uh, yeah. Paul: I mean like the, the Paige: many s I've consumed? Yeah. Paul: some way to like judge feature ad. If, if like we could put story points. Let's say story points are universal and we can like use them or t-shirt sizes, how many points can you push across with the minimum amount of code? Like what's that ratio like? Minimizing code has been more pertinent than ever. Paige: Mm-hmm. Paul: If that could be a quality of success 'cause that's TSE Noel: ~Yeah, but I, I don't, yeah, I, I don't like, I,~ I feel like if you're just academically though, trying to get like a number on like a, a. Adoption, right? Like what percentage of devs or like work that devs are doing is heavily AI assisted? Like, that seems tough. Like I don't really, I don't know because it's like auto complete. It's like, okay. [00:40:00] Like at what, at what, at what point is the auto complete, like really ai? You can say all of it is and you make that point. Sure. And then it's like probably very high, right? Like if at any time you have a function auto completes doing something, you can very quickly probably get to like 90% of code or Paige: Mm-hmm. Noel: Um, but that feels very different than me. In like agent mode, just having to go off and like spin up a whole new workflow and files and project and stuff. So Paul: And there's always gonna be value of having the non-AI person on your team, like it's a pie chart of skills. You want a full pie chart? Paige: I wasn't even thinking about the non-AI person, but just the non-AI development time to make sure that our skills stay sharp as developers, because I, I am sure that they're atrophying, at least personally. Just because I can use Claude and I can use GitHub copilot, so I don't have to go out and figure out why that, you know, error is getting thrown in my GitHub action workflow or figure out how to fix this TS lint error. 'cause I can just tell Claude to fix it instead. [00:41:00] So, Noel: Yeah. Paige: you know, it's important for me as a developer to sometimes not do things with Claude just so that I can still do them. Noel: ~I find, I find,~ I find if I'm in a project that I've been like using a lot of prompting on and not been auditing it super well, I get this like increasing anxiety of hitting the point where I'm going to have to actually go into the code and figure out what's going on. 'cause I know it's gonna be bad. Like I like, like I know like if I actually have some really gnarly bug here, like it's gonna be hell. Because it's like, okay, I've kind of just unleashed like a, you know, a dev that's like doing a bunch of drugs before they write any code all the time. Like, and just written my whole project. I've gotta go audit it. So yeah, like I, I don't know, like it's, it's, it's, it's the same kind of thing. We've been trying to come up with these metrics forever. Right. And it's really hard to know, like co even even coming up with a metric for like code health, we try to come up with like complexity. Um, like stuff, like all that stuff is just, it's [00:42:00] so you can kind of do it and turn your head and squint and like, you get numbers that kind of mean something, but it's just not practical. Um, so I feel like you kinda just have to ask people. That's probably the, like ask a dev what percentage of their work they're just doing with prompting now and like, you get a, get an idea, but Paul: An honest answer. Noel: Yeah. Yeah. Paige: ~All right, ~so before we go on to our hot takes, we will take a quick break and be right back. This episode is brought to you by Log Rocket. Log Rocket provides AI first session, replay, and analytics, which surface the UX and technical issues impacting user experiences. Start understanding where your users are struggling by trying it for free@logrocket.com. Alright, so this is one of my favorite parts of the panelist episode. It's where we get to rant about things, and it can be fun, it can be ridiculous, it can be anger inducing, whatever you want. So Noel, would you like to [00:43:00] start us off with your hot take for this episode? Noel: ~Uh, yeah. Yeah, I can, uh, I can kind of, and we, we, we kind of, we kind of preempted it a little bit there in that like I am, um,~ I'm in increasingly getting to the point where like I find myself. Just being like a reviewer of code that has been, I was already getting this way. Just like, you know, as, as organizations grow and stuff, like spending more and more time writing code and I'm just like, it's, it's becoming more and more the reality I find now that like the writing of the code. Is not the hard part of software development anymore. Increasingly, to a degree that's like almost absurd. Like, I can't, like I, I, I struggle to even articulate it like before. I think that was the case as well. We would always say this thing. No, it was like requirements gathering and like the a, like APIs and interfaces and how things plugged in. Like that was the hard part. And we'd say that, but then still a large portion of the time was like writing code one way or the another, uh, or the other. But I have found like as prompting gets better, and then regardless of how you do, if you're just like in agent mode, letting things run and do their [00:44:00] thing and then going in and letting your project be kind of unhinged, or you're like very diligent as you go step by step regardless, it's still just like so much less of my time is actually like writing characters and functions. Even if I'm still reading code and it's like. It's cool being that productive, but I'm like, I fear that we're gonna see like industry burnout to a scale like we've never seen before as everyone just, like, I hate just having to do code reviews all the time. Like it's kind of hellish. Um, so I, I, I don't know. I'm, I'm sure there'll be some kind of like pushback. People will be writing more, but um, yeah. ~Yeah. So I, I don't know if I have like a strong takeaway here or anything that I wanna like see. Happen. Like, I don't know, but I do have this. Yeah. Like just this kind of growing fear that there's just more like, I don't know, rising burnout, discontent over just like the, the work that's being done.~ ~And this probably actually isn't isolated or just like software engineering. I'm sure the same thing's happening and like anything that's like pseudo creative writing and stuff, like, they're probably experiencing the same thing. Um, so I, I imagine there'll be some, you know, there'll be some kind of, uh. And dialogue happening around this in a little more focused manner over the coming months, but we'll see. ~ Paige: ~I mean, I,~ I subscribe to a lot of newsletters. So I get newsletters for marketing and for stuff other than web development. And basically it seems like everybody in every industry is overwhelmed by the amount of tools and AI things and just like generally not knowing what's going on in the world in general. Noel: Yeah.[00:45:00] Paige: So yeah, I think we're in for a reckoning pretty soon. Noel: Yeah, for sure. Again, like one way or another, maybe AI won't change everything overnight, but even like, like just this, this like the, the way in which we work is changing so quickly. It's like analysis paralysis, all this kind of like existential, what's my value if I can just ask the machine to do it kind of thing. Like it's all kind kind of happening. Paige: Yeah. Good. Hot take. Uh, Paul, what is your hot take? Paul: because mine is like strikingly similar. I was going to talk more about the job market as I'm kind of seeing it. 'cause I just know a lot of folks 'cause I have many younger siblings. Noel: Mm. Paul: Who are entering the job market. So not just them, but their friends. And one of them is in a frat who, which is a computer science frat. So all of those guys and, and people, so many, many people. And I didn't expect, uh, to see what kind of, what I'm seeing, but it seems like there are so many jobs out there. Like, so, [00:46:00] like I, I'm overwhelmed at how many jobs there are for people to choose from. They're just all crap. Like, they just all suck, you know? I was always afraid like, oh man, like jobs are gonna go away. Or like, jobs are, are gonna like become super scarce and like seniors only, I've said it on this podcast early in 2025, late 2024, but it's kind of the opposite. There's way more jobs and they're just paid way less. And I, I think this is a good one after Noles because that's kind of what we're seeing where there's gonna be a reckoning of like, look, I just can't do that 'cause I'm a human being. And the response is like, oh, well there's gonna be somebody who can do that. So like, you're gonna get paid less and that person will get paid more. I like that. Just supply and demand. Um, so I'm a little bit afraid of like exactly what Noel talked about, which is industry burnout. All of us on this pod right now are feeling it, um, a lot. And I can't imagine like entering the field. Um. [00:47:00] So I will call it the ification of tech Jobs. That's somebody on Reddit used that title and I loved it, so I'm stealing it. Um, kind of seeing it play out finally a little bit. Paige: Yeah. Uh, I, I, I hope things get better. I don't know exactly how they're gonna get better or what that's gonna look like, but we can't continue the way that we are, I Noel: probably need more ai. That's probably the Paige: Yes. That is it. That's a good one. Noel: Yeah. Paige: All right. Uh, so my ramp for this time is going to be about security because we've already been talking about it, but it is just, I mean, it, it just kind of shocks me how. Bad we've become about security or how lax we've become as a society. I mean, vibe coding came along and then suddenly things just like started blowing wide open and data breaches started happening and apps started getting pushed out and then taken down and like people were uploading their [00:48:00] driver's licenses and they weren't encrypting them like the, uh, the T app and, and then against the T or whatever it was, like the guys version of it. So just like. We, I remember when I was a little kid back in the nineties when it was like it was impossible to find, people wouldn't give you anything. They would not put out, they didn't want their name in the phone book. They didn't want their address published. They didn't want anything like pictures, none of that. And now we're all just putting it out there on every website. We're putting our credit cards into things. We're plugging our social security numbers into stuff just. God, please just think about it before you just put all of your personal information online. Think, think for a second about when this website gets hacked, what kind of a problem that's gonna create. If your driver's license is out there or your social security numbers in there, or the password that you also use to access your bank [00:49:00] is the same one that you're using to access this New York Times game puzzle or whatever. Just. Noel: Yeah. Paige: Please just think more about security and be a little bit more security conscious use. Use a password generator. Use a password manager. Password. One bit warden something just, yeah, please just think a little bit more about, about keeping your information secure because do it is such a pain when it gets, when it gets exposed. Noel: Totally, totally. Paul: now we're in a world with voice ID on bank. Paige: Yes, Noel: Yeah. Paul: I cl I clone my voice in 11 labs. It was really easy. Noel: That's easy. Yeah. Paige: exactly. I just heard that celebrity scams are becoming a thing and they'll call you or they'll message you and it's some celebrity, you know, trying to start a chat with you and it's not, it's some scammer. Noel: Yeah, it's hard. And I feel like there's like, I, like you see, you see tech people falling for it all the time. Like some of these big like NPM breaches. It's like you [00:50:00] look at these phishing emails people clicked on. It's like, that is a good. Phishing email, like it, like they, the way they spoof, like the email, the sender address, or they'll use like, something that's super similar and like, or is under the same domain, but they, uh, like the company hasn't, um, set up like the email handshake on like specific subdomains and stuff. So they'll use something that's there. It doesn't get the little lock on it, but like the email clients won't show you unless you like, expand it and know to go look in like. It's, uh, it's tough even if you're, even, even when being diligent. So it's just like, Paige: Yeah, Noel: yeah, I worry. I worry for sure. Paige: just take that extra second to, to think about it before you just put it out there. That's all I'm saying. Noel: Totally. Paige: All right. Well, I think that that is going to wrap up this episode of the Pod Rocket Panelist podcast for this month. Thank you, Paul for joining us, and thank you Noel. Noel: Of course. Paul: you Paige. Noel: Thank Paul: Always fun to have these in banter. We get an excuse to banter. Noel: [00:51:00] Mm-hmm. Paige: Well, thank you everybody for listening, and we will see you again on the next episode. Noel: Yeah. Thanks.